[nginx] Fixed ngx_parse_time() out of bounds access (ticket #821).

Maxim Dounin mdounin at mdounin.ru
Fri Oct 30 19:16:21 UTC 2015


details:   http://hg.nginx.org/nginx/rev/4ccb37b04454
branches:  
changeset: 6287:4ccb37b04454
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Fri Oct 30 21:43:30 2015 +0300
description:
Fixed ngx_parse_time() out of bounds access (ticket #821).

The code failed to ensure that "s" is within the buffer passed for
parsing when checking for "ms", and this resulted in unexpected errors when
parsing non-null-terminated strings with trailing "m".  The bug manifested
itself when the expires directive was used with variables.

Found by Roman Arutyunyan.

diffstat:

 src/core/ngx_parse.c |  2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diffs (12 lines):

diff --git a/src/core/ngx_parse.c b/src/core/ngx_parse.c
--- a/src/core/ngx_parse.c
+++ b/src/core/ngx_parse.c
@@ -188,7 +188,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint
             break;
 
         case 'm':
-            if (*p == 's') {
+            if (p < last && *p == 's') {
                 if (is_sec || step >= st_msec) {
                     return NGX_ERROR;
                 }



More information about the nginx-devel mailing list